In previous articles about lateral movement, we have mostly used « live » scenarios where we would either run as the victim user or we would dump secrets from (lsass) memory.
This time, lets look at dpapi secrets in « offline » scenarios.
About DPAPI, see wikipedia.
DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.
DPAPI secrets are made of :
-a blob containing encrypted data, linked to a masterkey (used to decrypt the blob)
-a masterkey containing one (or several) encrypted key(s)
To decrypt a masterkey (and therefore a blob), you need the below:
-non-domain context: SID AND user password (when the masterkey was created) SHA1 hash
-domain context: SID AND user password (when the masterkey was created) NTLM hash
-local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)
In the next 3 (+1) articles, we will see how to decrypt dpapi secrets.
Before doing so, I recommend reading this article.
Also, most part of the knowledge and coding is greatly (understatement here) inspired by the excellent work (another understatement) from Gentilwiki and Mimikatz.